CVE-2022-31152

Name
CVE-2022-31152
Description
Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. The Matrix specification specifies a list of [event authorization rules](https://spec.matrix.org/v1.2/rooms/v9/#authorization-rules) which must be checked when determining if an event should be accepted into a room. In versions of Synapse up to and including version 1.61.0, some of these rules are not correctly applied. An attacker could craft events which would be accepted by Synapse but not a spec-conformant server, potentially causing divergence in the room state between servers. Administrators of homeservers with federation enabled are advised to upgrade to version 1.62.0 or higher. Federation can be disabled by setting [`federation_domain_whitelist`](https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#federation_domain_whitelist) to an empty list (`[]`) as a workaround.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://github.com/matrix-org/synapse/pull/13087
MISC https://github.com/matrix-org/synapse/pull/13088
MISC https://github.com/matrix-org/synapse/releases/tag/v1.62.0
CONFIRM https://github.com/matrix-org/synapse/security/advisories/GHSA-jhjh-776m-4765

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:matrix:synapse:*:*:*:*:*:*:*:* synapse >= None < 1.62.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
synapse 3.16-community 1.61.1-r0 6543 <6543@obermui.de> possibly vulnerable